Re: Application Flow / security issues

Sounds like you didn't need delegation after all. :)

You should be able to use the network service account on the machine for the
app pool identity and have this work as well. A custom service account
should not be needed. When the network service account is used, the login
will appear to the remote resource to be the AD machine account of the
server. So, if you ACL the resource so that the machine account has the
required access, that should work too.

Running the app pool with your domain account is not a good long term
solution. :)

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Justin Rich" <jrich523@xxxxxxxxxxxxxx> wrote in message
news:e%23k6foRBIHA.4956@xxxxxxxxxxxxxxxxxxxxxxx
I configured a custom app pool using the default settings and then used my
domain creds as the identity. one thing to note (for anyone else reading
this) is that you need to add the account to the IIS_WPG group to allow it
to run an app pool.. had me stumped for a min..

this seems to work, and since ive already spent FAR to much time monkeying
with this, im just going to leave it. hopefully i can get them to create
me a service account.. difficult, but they will at least do that..

I liked it better when i ran small networks and had complete control..
never had problems like this :)

I appreciate your help and detailed responses joe!

Thanks
Justin


"Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:eZt9tRRBIHA.3400@xxxxxxxxxxxxxxxxxxxxxxx
Do you absolutely need to access the file share with the credentials of
the authenticated user or can you use a fixed service account (the
so-called trusted subystem architecture)?

If you can use a trusted subsystem design, then this is easy to fix. You
just disable impersonation and make sure your process identity (the app
pool) has the necessary rights on the remote resource.

If you have to delegate and can't configure Kerberos delegation, the only
other way I know of to make this work is to collect plaintext credentials
from the user and log them in locally on the web server. If you
impersonate a token created that way, then delegation is not required.
However, prompting for credentials or using Basic auth to collect them
may not be acceptable to the end users.

Otherwise, if you really need this type of delegated distributed
authentication model, you have to use the stuff that Microsoft gives you
to do this (Kerberos delegation). If your AD guys won't play ball,
you'll need to get the whole politics thing going and address that. :)

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Justin Rich" <jrich523@xxxxxxxxxxxxxx> wrote in message
news:OBimDARBIHA.5752@xxxxxxxxxxxxxxxxxxxxxxx
I dont suppose there is some other adventure i can embark on?
The problem is that i dont run the domain and getting them to do
anything for me is pretty close to impossible.

what are some of my other options? even if they are a bit out there im
willing to try.

Thanks
Justin

"Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:%23RjhgzQBIHA.5652@xxxxxxxxxxxxxxxxxxxxxxx
You need delegation IF:
- You are using integrated windows auth in your web app
- Your browser users are accessing the web server from a different
machine (are not logged in locally)
- You want to use the credentials of the authenticated web app user to
access the file share (or other remote resource) via impersonation
- The file share is on a different machine than the web server

It sounds to me like all this is true.

If so, simply impersonating the authenticated user will not work. What
will happen is that if the application is not configured for
delegation, the web app process will not be able to delegate and will
instead fall back to an NTLM login to the file share using the
anonymous user for the login. That will almost certainly always fail
and won't give you the results you want anyway.

So, if you need to delegate, you have more work to do. You need to
ensure that:
- Kerberos authentication to the web app is enabled and working
- Kerberos authentication to the remote resource (the file share in
this case) is also working (make sure you are using NetBIOS or DNS
names and not IP addresses, as Kerb doesn't work with IP addresses)
- The app pool identity is trusted for delegation
- The users being authenticated have not been set to disallow
delegation

If your AD domain is 2003 native, you can also use protocol transition
login and constrained delegation. That allows you to have NTLM auth
instead of only Kerberos on the front end web app, so you can ease one
of these restrictions.

Getting all the Kerb auth stuff working can be an adventure, so good
luck!

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Justin Rich" <jrich523@xxxxxxxxxxxxxx> wrote in message
news:OzoYiiPBIHA.4880@xxxxxxxxxxxxxxxxxxxxxxx
I had already set the web config which is why i was able to get the
user info but it seems that when i go to access the file it refuses to
use that account. even when i tried your code it still didnt work.

the link made mention of delegation.. how do i know when thats needed?
im pretty confused. it says "Delegation is a more powerful form of
impersonation and makes it possible for the server process to access
remote resources while acting as the client."
isnt it always the server process? Anything i toss in the cs file i
assume is executed as the server process which in turn is actually the
application pool.

I have already looked in to the delegation and because of how the
network is run i will be unable to do that.

I enabled all of the auditing to see if i can catch the failed attempt
and there are no entries (i did however find some other guy trying to
get on my box)..

Im going to attempt to deploy this on an XP or 2k box rather than a
2k3 because i assume the root of this problem is the application pool.
if anyone can provide some insight as to whats going on here i would
greatly appreciate it.

Thanks
Justin


"Alexey Smirnov" <alexey.smirnov@xxxxxxxxx> wrote in message
news:1191276328.022414.150600@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
On Oct 1, 11:10 pm, Jesse Houwing <jesse.houw...@xxxxxxxxxxxxxxxx>
wrote:
Hello Justin,





im having some issues with application security and i was
wondering if
anyone could point me in the direction of some good resources that
would explain the different levels of security.

the problem im currently having is im trying to make a web app
that
will pull a file from the client (clients are on the lan and part
of
the domain) and its giving me a denied access..

I have set IIS to not allow anon access (verified with
System.Security.Principal.WindowsIdentity.GetCurrent().Name) which
shows the username correctly.

I assume that whats happening now is its using the application
pool
identity (set to Network Service by default) to go back to the
client
instead of the logged in user creds. I tried messing with the
identity
of the application pool with no luck

FileInfo fi1 = new FileInfo(path) <-- problem line

path resolves to something like \\ip\c$\folder\file.txt

I expect the users of my app to be local admins on the machine.

ASP.NET 2.0

You can set impersonation in the web.config. That should fix your
problem.

http://msdn2.microsoft.com/en-us/library/aa292118(VS.71).aspx

--
Jesse Houwing
jesse.houwing at sogeti.nl- Hide quoted text -

- Show quoted text -

or try

System.Security.Principal.WindowsImpersonationContext
impersonationContext;
impersonationContext =
((System.Security.Principal.WindowsIdentity)HttpContext.Current.User.Identity).Impersonate();

FileInfo fi1 = new FileInfo(path)
...
impersonationContext.Undo();













.

Relevant Pages

  • Re: Application Flow / security issues
    ... You won't need a special service account. ... If the use case of the app is basically to have a user log in and then loop ... I just checked with corp. and if I want to do delegation I have to ask ... - You are using integrated windows auth in your web app ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: kerberos SQL service accounts
    ... Also, on the delegation question, you only need to enable delegation on the SQL service account if SQL will be making a call to a remote system on behalf of a remote user it is impersonating. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Access to the path is denied: Assembly Permission Problem
    ... It was a delegation configuration problem (and, I myself, ... overlooked (besides it being a portion of code in the GAC). ... account when a new thread is created despite the credentials of its parent. ... the account for the pool can be changed. ...
    (microsoft.public.dotnet.framework.webservices)
  • Re: Single Sign On using NTLM
    ... We finally decided to modify the web server to support a special service account that is able to switch users as it needs to. ... Getting this working can be a bit of a pain and will likely require that you read up on the TechNet docs on implementing constrained delegation and protocol transition. ...
    (microsoft.public.dotnet.security)
  • Re: kerberos SQL service accounts
    ... I have question regarding contrained delegation. ... We do have SQL servers that need to make a remote call to another SQL server, both SQL servers in question are running there services as a domain user account. ... If i want to use constrained delegation, i know i set it up on the service account, but what account do i point the service account to use for contrained delegation? ...
    (microsoft.public.windows.server.active_directory)